msitprobloghttps://msitproblog.com
Topics about ConfigMgr, MDT, App-V, Windows, PowerShell and more by Simon DettlingWed, 06 Dec 2017 18:41:34 +0000en-UShourly1https://wordpress.org/?v=4.9.1Windows Defender Definitions not updating over Internet using ConfigMgrhttps://msitproblog.com/2017/12/06/windows-defender-definitions-not-updating-internet-using-configmgr/
https://msitproblog.com/2017/12/06/windows-defender-definitions-not-updating-internet-using-configmgr/#respondWed, 06 Dec 2017 18:35:15 +0000https://msitproblog.com/?p=2621I recently had an interesting Problem, regarding the Definition Update Fallback to the Internet on Windows 10 Devices with a managed Windows Defender using ConfigMgr. The Chance that you run into the exact same error is pretty small, however I still wanted to share the Solution. The Problem The Fallback to the Internet for updating the Definitions when a Device it out-of-office, is defined by the “Definition Update Sources” in the Antimalware Policy. Here we tell Windows Defender, that it should contact Microsoft Update or the Microsoft Malware Protection Center (MMPC) if ConfigMgr or WSUS aren’t reachable. In my Case,

]]>I recently had an interesting Problem, regarding the Definition Update Fallback to the Internet on Windows 10 Devices with a managed Windows Defender using ConfigMgr. The Chance that you run into the exact same error is pretty small, however I still wanted to share the Solution.

The Problem

The Fallback to the Internet for updating the Definitions when a Device it out-of-office, is defined by the “Definition Update Sources” in the Antimalware Policy. Here we tell Windows Defender, that it should contact Microsoft Update or the Microsoft Malware Protection Center (MMPC) if ConfigMgr or WSUS aren’t reachable.

In my Case, I could let a Windows 10 Device on the Internet for days without the Definition getting updated. Looking at the Operational Event Log of Windows Defender, you could see a lot of failed attempts for contacting Windows Update.

The Solution

The Solution consists of two steps. First, you need to make sure, that the Option “Give me update for other Microsoft product when I update Windows” is set in the Windows Update Section of the Settings App.

The above option can be enabled during OSD, using the following PowerShell Script:

]]>https://msitproblog.com/2017/12/06/windows-defender-definitions-not-updating-internet-using-configmgr/feed/0Updating Infineon TPM on Lenovo ThinkPad during OSD using ConfigMgrhttps://msitproblog.com/2017/11/08/updating-infineon-tpm-lenovo-thinkpad-osd-using-configmgr/
https://msitproblog.com/2017/11/08/updating-infineon-tpm-lenovo-thinkpad-osd-using-configmgr/#respondWed, 08 Nov 2017 19:30:24 +0000https://msitproblog.com/?p=2565A few weeks ago, a Security Issue was made public regarding Infineon-based TPM Chips. I won’t really outline the issue itself here, as you are probably fully aware of it. All Details can be found here: RSA Keys Generated by Infineon TPMs are Insecure This blog post will contain the needed Details to update the Infineon-based TPM Firmware on Lenovo ThinkPad Devices during Operating System Deployment in Configuration Manager. Getting the TPM Firmware Update Utility Head over to the following Lenovo Download Page and make sure that your ThinkPad Model is listed in the “Supported Systems” Section and that you are going to

]]>A few weeks ago, a Security Issue was made public regarding Infineon-based TPM Chips. I won’t really outline the issue itself here, as you are probably fully aware of it. All Details can be found here: RSA Keys Generated by Infineon TPMs are Insecure

This blog post will contain the needed Details to update the Infineon-based TPM Firmware on Lenovo ThinkPad Devices during Operating System Deployment in Configuration Manager.

Getting the TPM Firmware Update Utility

Head over to the following Lenovo Download Page and make sure that your ThinkPad Model is listed in the “Supported Systems” Section and that you are going to deploy one of the “Supported Operating Systems”.

Download the TPM Firmware Update Utility from the Download Page and extract it to a Place, where it can be used as a Package Source Folder in ConfigMgr.

Creating the ConfigMgr Package

Head over to the ConfigMgr Console and Create a new Package.

Specify a Name, Manufacturer and the Path to the extracted TPM Firmware Files. Click Next.

Choose “Do not create a program“, Click Next twice and Click Finish.

Make sure to distribute the Package to your DPs after Creation!

Modify the Task Sequence

Open the Task Sequence, which you like to modify

Add a new Group “Lenovo Infineon TPM Update” somewhere between the Steps“Setup Windows and Configuration Manager” and “Enable BitLocker”.

Change to the Options Tab on the created Group, create a new If “All” Condition and specify the following WMI Queries:

Make sure to use the correct TPM Manufacturer Version and Model! The Readme on the above linked Download Page lists the different Versions, based on the TPM Version. In this example, I target Yoga Devices, using the Model 20J* with the TPM Version 7.62. The ManufacturerIdTxt is used because not all Devices (even within the same Model) are shipped with an Infineon-based TPM Chip.

Create a new “Run Command Line” Step in the Created Group as above. Use the following Command:

TpmUpdt64.exe -s -suc {Password}

If you’re going to deploy a 32-bit based Operating System, you’ll need to use TpmUpdt.exe

If you have a Supervisor Password in-place, which you should (!!!), make sure to specify it in the -suc Argument and replace {Password}.

Disable 64-bit file system redirection and Select the Package you previously created.

Change to the Options Tab and enter “0 1 2 3” as Success code. The complete List of the TPM Firmware Update Utility Return codes can be found here: TPM Firmware Update Utility

At last, create a new Restart Computer Step which restarts the currently installed Operating System.

Result

When comparing the displayed Versions of tpm.msc, before and after OSD, you can see that the TPM Version has changed to 7.62, which is the Version that provides the fix for the above Vulnerability.

]]>https://msitproblog.com/2017/11/08/updating-infineon-tpm-lenovo-thinkpad-osd-using-configmgr/feed/0Hotfix 10 for App-V 5.1 releasedhttps://msitproblog.com/2017/10/26/hotfix-10-for-app-v-5-1-released/
https://msitproblog.com/2017/10/26/hotfix-10-for-app-v-5-1-released/#respondThu, 26 Oct 2017 06:31:23 +0000https://msitproblog.com/?p=2561Microsoft has released the Hotfix Package 10 for App-V 5.1, which is titled “September 2017 Servicing Release for Microsoft Desktop Optimization Pack”. This Hotfix pushes App-V to version 5.1.129.0 and can be downloaded here. The following Issues were fixed in HF10 for App-V 5.1: Duplicated handles are not managed correctly and cause the virtual application to crash. The life cycle of the effective group registry entries are not maintained correctly. Additional Notes: The App-V and UE-V Clients are “in-box” starting in the Windows 10 Anniversary Edition (Version 1607). The “in-box” App-V client continues to use the App-V 5.1 Server. Fixes that

]]>Microsoft has released the Hotfix Package 10 for App-V 5.1, which is titled “September 2017 Servicing Release for Microsoft Desktop Optimization Pack”. This Hotfix pushes App-V to version 5.1.129.0 and can be downloaded here.

The following Issues were fixed in HF10 for App-V 5.1:

Duplicated handles are not managed correctly and cause the virtual application to crash.

The life cycle of the effective group registry entries are not maintained correctly.

Additional Notes:

The App-V and UE-V Clients are “in-box” starting in the Windows 10 Anniversary Edition (Version 1607). The “in-box” App-V client continues to use the App-V 5.1 Server.

Fixes that are delivered to the “out-of-box” versions of App-V and UE-V are first delivered for the “in-box” versions of App-V and UE-V in the monthly Windows 10 cumulative updates.

We recommend that you test fixes before you deploy them in a production environment. Because the builds are cumulative, each new servicing release contains all the fixes (including security fixes) that were included in the previous update package. We recommend that you apply the latest servicing release.

]]>https://msitproblog.com/2017/10/26/hotfix-10-for-app-v-5-1-released/feed/0ConfigMgr LogFile Opener 1.6.0 releasedhttps://msitproblog.com/2017/10/07/configmgr-logfile-opener-1-6-0-released/
https://msitproblog.com/2017/10/07/configmgr-logfile-opener-1-6-0-released/#respondSat, 07 Oct 2017 17:10:02 +0000https://msitproblog.com/?p=2550Version 1.6.0 of ConfigMgr LogFile Opener has been made available. This Release comes with a few new features and some small bug fixes. Release Notes New features Added the Client Hardware data to the top of the menu Added the SCEP MpCmdRun.log files to the Logs menu Added ‘C:\Windows\Temp’ to the File Explorer menu General fixes Splitted setupact.log and setuperr.log into individual Log entries, to prevent a CMTrace Merging error message. Minor menu and text adjustments The new Version is available at TechNet Gallery for download. As always, If you find any bugs or have some feature suggestions, tag me

]]>https://msitproblog.com/2017/10/07/configmgr-logfile-opener-1-6-0-released/feed/0PIN Complexity missing in Windows Hello for Business GPOhttps://msitproblog.com/2017/09/05/pin-complexity-missing-windows-hello-business-gpo/
https://msitproblog.com/2017/09/05/pin-complexity-missing-windows-hello-business-gpo/#commentsTue, 05 Sep 2017 16:43:09 +0000https://msitproblog.com/?p=2518I recently configured “Windows Hello for Business” on Windows 10, which requires the use of a PIN for Biometric Authentication. For configuring the PIN, I used the official Microsoft Docs called: Manage Windows Hello for Business in your organization This Docs Article explains pretty much all the “Windows Hello for Business” GPO Settings, including the ability to configure the PIN Complexity. However, when using Group Policy Editor the mentioned “PIN Complexity” Node is not present under “Windows Hello for Business” in the Computer Configuration Section, as shown by the Docs Article. After my favorite search engine failed me to come up

This Docs Article explains pretty much all the “Windows Hello for Business” GPO Settings, including the ability to configure the PIN Complexity.

However, when using Group Policy Editor the mentioned “PIN Complexity” Node is not present under “Windows Hello for Business” in the Computer Configuration Section, as shown by the Docs Article.

After my favorite search engine failed me to come up with an answer, I started to explore the responsible Group Policy Template for “Windows Hello for Business” called “Passport.admx”. (“Windows Hello for Business” was called “Microsoft Passport” in earlier Windows Versions)

Inside the XML you find the highlighted line which says:

PIN Complexity moving to the System Node

Switching back to the Group Policy Editor, we can explore the System Node which actually lists the missed PIN Complexity Node. The exact location is: “Computer Configuration\Administrative Templates\System\PIN Complexity”

]]>https://msitproblog.com/2017/09/05/pin-complexity-missing-windows-hello-business-gpo/feed/1Disabling Xbox Services & Tasks in Server 2016 during OSD with ConfigMgrhttps://msitproblog.com/2017/08/24/disabling-xbox-services-tasks-server-2016-osd-configmgr/
https://msitproblog.com/2017/08/24/disabling-xbox-services-tasks-server-2016-osd-configmgr/#respondThu, 24 Aug 2017 16:30:20 +0000https://msitproblog.com/?p=2482I recently discovered some Services and Scheduled Tasks on a Windows Server 2016, which made me look twice. It seems that some Xbox Stuff from Windows 10 found it’s way into Server 2016. Services: Xbox Live Auth Manager, Xbox Live Game Save Scheduled Tasks: XblGameSaveTask, XblGaveSaveTaskLogon After a quick Web search, I found the following blog post by Microsoft, which outlined what I was actually hoping to hear: We recommend that customers disable the following services and their respective scheduled tasks on Windows Server 2016 with Desktop Experience: Services: Xbox Live Auth Manager Xbox Live Game Save Scheduled tasks: \Microsoft\XblGameSave\XblGameSaveTask \Microsoft\XblGameSave\XblGameSaveTaskLogon In

]]>https://msitproblog.com/2017/08/24/disabling-xbox-services-tasks-server-2016-osd-configmgr/feed/0ConfigMgr LogFile Opener 1.5.0 releasedhttps://msitproblog.com/2017/08/01/configmgr-logfile-opener-1-5-0-released/
https://msitproblog.com/2017/08/01/configmgr-logfile-opener-1-5-0-released/#respondTue, 01 Aug 2017 14:09:51 +0000https://msitproblog.com/?p=2465Version 1.5.0 of ConfigMgr LogFile Opener has been made available. This Release comes with a bunch of new features and some small bug fixes. Release Notes New features Added a Recent logs section, which lists log files based on their Modify Date. Added an Options section to the main menu and moved the “Toggle Log Program” options in it. Added a ConfigMgr Console Extensions to quickly open ConfigMgr LogFile Opener for a specifc Device from the Console. General fixes Refresh Device Data option should now work correctly A Client running the 1706 ConfigMgr Client version is now identified correctly. Minor menu

]]>https://msitproblog.com/2017/08/01/configmgr-logfile-opener-1-5-0-released/feed/0MP_Hinv.log Warnings from Parallels-managed Macshttps://msitproblog.com/2017/07/14/mp_hinv-log-warnings-parallels-managed-macs/
https://msitproblog.com/2017/07/14/mp_hinv-log-warnings-parallels-managed-macs/#respondFri, 14 Jul 2017 15:25:34 +0000https://msitproblog.com/?p=2444If you’re using Parallels Mac Management for ConfigMgr, you might find the below Warnings when looking into MP_Hinv.log on your Management Points. These Warnings appear every time when a Mac Device, with the Parallels Mac Management Agent installed, sends its Hardware Inventory to the Parallels Proxy, which forwards it to a Management Point. I contacted Parallels Support about this a few days ago and they were able to reproduce the Issue. Their Statement was, that the client sends outdated objects of WMI classes for Hardware Inventory and that the Warning don’t cause any Issues. A Hotfix / Update for

]]>If you’re using Parallels Mac Management for ConfigMgr, you might find the below Warnings when looking into MP_Hinv.log on your Management Points.

Hinv: Mapping table marked for reloading.
Hinv: property name not found in the mapping table: IsMulticore
Hinv: property name not found in the mapping table: Name
Hinv: the report could not be processed completely due to unknown classes or properties - it may be obsolete

These Warnings appear every time when a Mac Device, with the Parallels Mac Management Agent installed, sends its Hardware Inventory to the Parallels Proxy, which forwards it to a Management Point.

I contacted Parallels Support about this a few days ago and they were able to reproduce the Issue. Their Statement was, that the client sends outdated objects of WMI classes for Hardware Inventory and that the Warning don’t cause any Issues.

A Hotfix / Update for the Parallels Proxy should follow soon. I’ll update the blog post as soon as it becomes available.

]]>https://msitproblog.com/2017/07/14/mp_hinv-log-warnings-parallels-managed-macs/feed/0Deploying the Intune Managed Browser via ConfigMgr Hybridhttps://msitproblog.com/2017/07/13/deploying-intune-managed-browser-via-configmgr-hybrid/
https://msitproblog.com/2017/07/13/deploying-intune-managed-browser-via-configmgr-hybrid/#respondThu, 13 Jul 2017 16:10:14 +0000https://msitproblog.com/?p=2382When using Microsoft Intune, we can utilize the Managed Browser Application, available both for iOS and Android, to restrict or allow access to certain websites on a managed mobile device. In this blog post, we will use ConfigMgr in Hybrid Configuration with Microsoft Intune and deploy the Managed Browser App to an iOS Device. Additionally, we use Application Management Policies to configure the Managed Browser to block a certain URL. Creating the Managed Browser Application Open the Software Library Workspace, select Applications and click on Create Application. Select App Package for iOS from App Store as Type and provide the following

]]>When using Microsoft Intune, we can utilize the Managed Browser Application, available both for iOS and Android, to restrict or allow access to certain websites on a managed mobile device.

In this blog post, we will use ConfigMgr in Hybrid Configuration with Microsoft Intune and deploy the Managed Browser App to an iOS Device. Additionally, we use Application Management Policies to configure the Managed Browser to block a certain URL.

Creating the Managed Browser Application

Open the Software Library Workspace, select Applications and click on Create Application.

Select App Package for iOS from App Store as Type and provide the following URL in the Location field:

Allow the Managed Browser to open only the URLs listed belowMeaning: Everything that you won’t specify will be blocked.

Keep in mind that this also affects embedded content in those Sites. For example, if you Whitelist a Website which includes a Facebook Image Gallery, all the Requests to Facebook will still be blocked!

Block the Managed Browser from opening the URLs listed belowMeaning: Everything that you specify will be blocked.

For this Demo, we will use the second option and block the access to my blog. (Please don’t block my blog in your Policies! 😉 )

Click Next.

Verify your settings and click Next.

Click Close.

You should now have two Application Management Policies.

Deploying the Managed Browser Application

Switch back to the Application Section, select the created Managed Browser Application and click on Deploy.

Select a User Collection, which contains User(s) who are enrolled to Intune. Click Next.

You can skip the content distribution page by clicking Next, as we don’t have any Content to distribute.

Select Install as Action and Required or Available as the Purpose of the Deployment.

If you go for an Available Purpose, the User needs to install the Application on demand via the Company Portal. When using Required, the Application will be installed automatically. For this Demo, I used Required.

Click Next.

Going through Scheduling / User Experience and Alerts, you should reach the Application Management page.

Select the created General Policy and Managed Browser Policy, as seen above.

Click Next

Skipping App Configuration Policy, you should reach the Summary page.

Verify your settings and click Next.

Click Close.

Testing the Managed Browser

Head over to a Device, which is owned and enrolled by a User who was targeted with the Deployment. If you selected Required as Purpose on the Deployment, you should get a Notification after a while as seen above. If you selected Available, you need to trigger the Installation in the Company Portal App.

Tap on Install.

After a short while, the Managed Browser should be present on the Home Screen. Tap on it, to launch the Browser.

Because we selected to require a PIN in the General Application Management Policy, we are prompted to do so.

Enter your PIN.

The Managed Browser should now launch and you should be able to browse to “ww.microsoft.com”, for example. So far so good.

Let’s try to access my blog, which I blocked in the Managed Browser Application Management Policy.

As expected, the Website won’t open and the User receives a Notification.

To prevent that the user just switches to the native Browser or downloads a 3rd party Browser from the AppStore to access a blocked Website, you can use Configuration Items to further lock down the device.

]]>https://msitproblog.com/2017/07/13/deploying-intune-managed-browser-via-configmgr-hybrid/feed/0ConfigMgr LogFile Opener 1.4.0 releasedhttps://msitproblog.com/2017/07/02/configmgr-logfile-opener-1-4-0-released/
https://msitproblog.com/2017/07/02/configmgr-logfile-opener-1-4-0-released/#respondSun, 02 Jul 2017 09:20:52 +0000https://msitproblog.com/?p=2312Version 1.4.0 of ConfigMgr LogFile Opener has been made available a few hours ago. This Release comes with a bunch of new features and some small bug fixes. Release Notes New features Added Windows Servicing log files to the Logs menu Added the Operating System version to the top of the Menu Added a Refresh Device data option to the Tool Menu, to refresh the Client & Operating System Version of a selected device. Rearranged the Tool Menu Items General fixes Optimized Performance of WMI Queries within the Tool Other small fixes, code rewriting and optimizations. The new Version is available